Analog/ISDN Line Security Policy

1. Overview

See Purpose.

2. Purpose

This document explains eCuras analog and ISDN line acceptable use and approval policies and procedures. This policy covers two distinct uses of analog/ISDN lines: lines that are to be connected for the sole purpose of fax sending and receiving and lines that are to be connected to computers.

3. Scope

This policy covers only those lines that are to be connected to a point inside eCuras building and testing sites. It does not pertain to ISDN/phone lines connected to employee homes, PBX desktop phones, and Telecom’s lines for emergency and non-corporate information purposes.

4. Policy

4.1  Scenarios & Business Impact

Two critical scenarios involve analog line misuse, which we attempt to guard against through this policy. The first is an outside attacker who calls a set of analog line numbers in the hope of connecting to a computer that has a modem attached to it. If the modem answers (and most computers today are configured out-of-the-box to auto-answer) from inside eCuras premises, then there is the possibility of breaching eCuras’s internal network through that computer, unmonitored. At the very least, information that is held on that computer alone can be compromised. This potentially results in the loss of millions of dollars worth of corporate data.

The second scenario is the threat of anyone with physical access into a eCuras facility being able to use a modem-equipped laptop or desktop computer. In this case, the intruder would be able to connect to the trusted networking of eCuras through the computer’s Ethernet connection, and then call out to an unmonitored site using the modem, with the ability to siphon eCuras information to an unknown location. This could also potentially result in a substantial loss of vital information.

Specific procedures for addressing the security risks inherent in each of these scenarios follow.

4.2  Facsimile Machines

As a rule, the following applies to requests for fax and analog lines:

• Fax lines are to be approved for departmental use only.
• No fax lines will be installed for personal use.
• No analog lines will be placed in a personal cubicle.
• The fax machine must be placed in a centralized administrative area designated for departmental use, and away from other computer equipment.
• A computer capable of making a fax connection cannot use an analog line for this purpose.

Waivers for the above policy on analog-as-fax lines will be delivered on a case-by-case basis after reviewing the business need with respect to the request’s level of sensitivity and security posture.

The use of an analog/ISDN fax line is conditional upon the requester’s full compliance with the requirements listed below. These requirements are the responsibility of the authorized user to enforce at all times:

• The fax line is used solely as specified in the request.
• Only persons authorized to use the line have access to it.
• When not in use, the line is to be physically disconnected from the computer.
• When used, the computer must be physically disconnected from eCuras’s internal network.
• The line will be used solely for eCuras business, and not for personal reasons.
• All downloaded material, before being introduced into eCuras systems and networks, must have been scanned by an approved anti-virus utility (e.g., McAfee VirusScan), which has been kept current through regular updates.

4.3  Computer-to-Analog Line Connections 

The general policy is that requests for computers or other intelligent devices connected with analog or ISDN lines from within eCuras will not be approved for security reasons. Analog and ISDN lines represent a significant security threat to eCuras, and active penetrations have been launched against such lines by hackers. Waivers to the policy above will be granted on a case by case basis.

Replacement lines, such as those requested because of a move, fall under the category of “new” lines. They will also be considered on a case by case basis.

4.4  Requesting an Analog/ISDN Line

Once approved by a manager, the individual requesting an analog/ISDN line must provide the following information to Telecom:

• a detailed business case of why other secure connections available at eCuras cannot be used,
• the business purpose for which the analog line is to be used,
• the software and hardware to be connected to the line and used across the line,
• what external connections the requester is seeking access.

The business case must answer, at a minimum, the following questions:

• What business needs to be conducted over the line?
• Why is a eCuras-equipped desktop computer with Internet capability unable to accomplish the same tasks as the proposed analog line?
• Why is eCuras’s current dial-out access pool unable to accomplish the same tasks as an analog line?

Also, the requester must be prepared to answer the following supplemental questions related to the security profile of the request:

• Will the machines using analog lines be physically disconnected from eCuras’s internal network?
• Where will the analog line be placed? A cubicle or lab?
• Is dial-in from outside of eCuras needed?
• How many lines are being requested, and how many people will use the line?
• How often will the line be used? Once a week, 2 hours per day…?
• What is the earliest date the line can be terminated from service?
• The line must be terminated as soon as it is no longer in use.
• What other means will be used to secure the line from unauthorized use?
• Is this a replacement line from an old location? What was the purpose of the original line?
• What types of protocols will be run over the line?
• Will a eCuras-authorized anti-virus scanner be installed on the machine(s) using the analog lines?
• The requester should use the Analog/ISDN Line Request Form to address these issues and submit a request.

5. Policy Compliance

5.1  Compliance Measurement

The Infosec team will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

The Infosec team must approve any exception to the policy in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Revised: March 14th, 2018

Table of Content

1. Acceptable Encryption Policy
2. Acceptable Use Policy
3. Clean Desc Policy
4. Data Breach Response Policy
5. Disaster Recovery Plan Policy
6. Digital Signature Acceptance Policy
7. Email Policy
8. Ethics Policy
9. Pandemic Response Planning Policy
10. Password Construction Guidelines
11. Password Protection Policy
12. Security Response Plan Policy
13. End User Encryption Key Protection Policy
14. Acquisition Assessment Policy
15. Bluetooth Baseline Requirements Policy
16. Remote Access Policy
17. Remote Access Tools Policy
18. Router and Switch Security Policy
19. Wireless Communication Policy
20. Wireless Communication Standard
21. Database Credentials Policy
22. Technology Equipment Disposal Policy
23. Information Logging Standard
24. Lab Security Policy
25. Server Security Policy 
26. Software Installation Policy
27. Workstation Security (For HIPAA) Policy
28. Web Application Security Policy
29.  Analog/ISDN Line Security Policy
30. Anti-Virus Guidelines
31. Server Audit Policy
32. Automatically Forwarded Email Policy
33. Communications Equipment Policy
34. Dial In Access Policy
35. Extranet Policy
36. Internet DMZ Equipment Policy
37. Internet Usage Policy
38. Mobile Device Encryption Policy
39. Personal Communication Devices and Voicemail Policy
40. Removable Media Policy
41. Risk Assessment Policy
42. Server Malware Protection Policy
43. Social Engineering Awareness Policy
44. DMZ Lab Security Policy
45. Email Retention Policy
46. Employee Internet Use Monitoring and Filtering Policy
47. Lab Anti Virus Policy
48. Mobile Employee Endpoint Responsibility Policy
49. Remote Access Mobile Computing Storage
50. Virtual Private Network Policy